UtterAccess.com
X   Site Message
(Message will auto close in 2 seconds)

Welcome to UtterAccess! Please ( Login   or   Register )

Custom Search
2 Pages V  1 2 >  (Go to first unread post)
   Reply to this topicStart new topic
> Building A 'virtual Com Object', Any Version    
 
   
JonSmith
post Jun 18 2018, 07:01 AM
Post#1


UtterAccess VIP
Posts: 4,053
Joined: 19-October 10



Hi everyone,

So I've been diving into this utility. https://www.everythingaccess.com/vbwatchdog.asp
I've been looking at the example file they provided in the guides.

In a nutshell it handles errors and stuff. All the things it can do, like accessing the callstack are things I didn't think could be done in VBA yet you can just drop the 4 modules from that utility into any VBA file and they work on any machine. It's entirely portable.
This is kind of fascinating to me. I dug into those modules and really struggled to make alot of sense of them, then some of it clicked together.
Here is what I think is happening. The VBA is using a .dll to handle all those things, so the COM stuff is able to do the advanced stuff we see.
What is crazy though is this COM object is built in VBA rather than being a separate compiled .dll
The VBA has this long string in it which I think is the compiled .dll source code, it also has another module with 129 subs that seemingly do nothing (they have no code in them) however if you export as text they all contain the same kind of strings that look like compiled dll code.

Now I've been working this out and searching all morning but I cannot find any kind of information or tutorials about how this sort of thing works.
I'd love to do this for my own purposes. I have some logging stuff that I built to keep track of all events that occur but its more clunky to implement and some COM functionality should change that.

Anyone have any ideas?
Here is a snippet from the sample file that I believe has the compiled source code as a string embedded in it. See 'NativeCode'

CODE
' ----------------------------------------------
' Virtual-COM initialization routine:
' ----------------------------------------------
Private Sub Class_Initialize()

    With m_Loader
        .NativeCode = "%EEEE%::::PPPPPPPPPH+D$ XXXtNXXXXXXVSPPPPj PPPPPPPP4T)D$04P)D$,4'4 )D$($ PZ3D$@+D$ YQ3H +L$ XP3Q +T$0XPf55ntvf)B|+T$0+T$0+T$0R[YQ^VXP2CP<0tF1D$$kD$$@!L$$2CQ1D$$kD$$@!L$$2CR1D$$kD$$@!L$$2CS+\$,3BP1BP1rP3rP+T$(  XXXXXXXXXXXXX[^tJAYAZQ4tPPPPH)D$@4pH)D$84'4 H)D$0$ PH+L$ H3AtH+D$ L3PtL+T$HXPf55{L+T$HL+T$HtqfA)B8ARA[YQXPA2CD<0tR1D$0kD$0@L!L$0A2CE1D$0kD$0@L!L$0A2CF1D$0kD$0@L!L$0A2CGL+\$@A3BDA1BDA1JDA3JDL+T$8  XXXXXYXXXXqBLHOJA@n[??n[=ezoieZZprkhs^ljbZljbZ=bNZ_Q_>HirF[Q^Z[IrzRM wGDDoeTtKTfdGVduCVduCGhiCGhygGhygCmzXGcH[D_J^DV VfF VX<TI@<_veu]flqomliCuelQxpdudatE@hrwIkzSMzvOizw_Mzw_MssLJssLZBCLZ@A]^@A]^TNa^oFmn^nIv@aSsbT?WeWnSg_DCgKjKWCgHe[wJGe;?@fj;Ifyr@cfMAmTN_rNKNzxilIhMnADMgDV@cm;<jihu?aE=]rdY\puMUpgDuAa;UqSWBSPSUG=LUFNNESSOPGVYEbGXQWROj__GHKjOj_MIHKj^x?IRh=XVh=XVKH<VYKlJWLbAEtOIg@nIDT^HJVOD[KGudwGDEeFT[reTWJ@\ht>a;r>cruLna<Mniy?eKL_]zy?\pznXpznXANNXIL_\IL_\xSc\iMIUzQIdEoomgyo=XAyzJCDBXN>=QKmvHmtvO]HXO]J\O]J\m]hV?]mXmQvgl=tdpaS RUqPBV \PRocNMQflywB>;gFluaO?jKF@UIO ai_vUJ[apwFqeFGfACZVu>[0"

        .LoaderMem = VirtualAlloc(0, Len(.NativeCode), MEM_RESERVE_AND_COMMIT, PAGE_EXECUTE_RW)
        If .LoaderMem = 0 Then Err.Raise ERR_OUT_OF_MEMORY

        .RootObjectMem = VirtualAlloc(0, ROOTOBJECT_SIZE, MEM_RESERVE_AND_COMMIT, PAGE_EXECUTE_RW)
        If .RootObjectMem = 0 Then Err.Raise ERR_OUT_OF_MEMORY

        .vtbl_QueryInterface = .LoaderMem
        .VTablePtr = VarPtr(m_Loader)
        .Kernel32Handle = GetModuleHandleA("KERNEL32")
        .GetProcAddress = GetProcAddress(.Kernel32Handle, "GetProcAddress")
        .SysFreeString = GetProcAddress(GetModuleHandleA("OLEAUT32"), "SysFreeString")
        .WideCharToMultiByte = GetProcAddress(GetModuleHandleA("KERNEL32"), "WideCharToMultiByte")
        Set .HelperObject = New ErrEx_Helper
        Call CopyMemory(ByVal .LoaderMem, ByVal .NativeCode, Len(.NativeCode))
        Call CopyMemory(.RootObject, VarPtr(.VTablePtr), LenB(.VTablePtr))
        .IgnoreFlag = TypeOf .RootObject Is VBA.Collection
        Set .ClassFactory = (.RootObject)
        Set .RootObject = Nothing
        VirtualFree .LoaderMem, 0, MEM_RELEASE
        Call .ClassFactory.Init(.Kernel32Handle, .GetProcAddress, OPTION_BASE + OPTION_FLAGS, VBA_VERSION, .HelperObject)
        Set m_VCOMObject = .ClassFactory.GetErrEx()
    End With

End Sub


JS

Go to the top of the page
 
zaxbat
post Jun 18 2018, 07:23 AM
Post#2



Posts: 1,184
Joined: 26-January 06
From: .....the wiregrass (either you know or you don't)


Most likely the .nativecode snippet is an actual .com type executable that is embedded at first but taken out and run during a call to that routine. These can be really dangerous, so be careful. You do not know what all that executable might be doing inside your system.
Go to the top of the page
 
JonSmith
post Jun 18 2018, 07:30 AM
Post#3


UtterAccess VIP
Posts: 4,053
Joined: 19-October 10



Yes, I can see how something like that could easily exploit your system, but no more than any other COM addin you might install right?
This utility has come recommended by other users on here and seems like a legit commercial product so I don't really have security concerns.

If you understand abit on how it works can you explain abit to me, confirm what I got right and correct what I got wrong? Pointers for me to do this with a "Hello World" style COM application?

JS
Go to the top of the page
 
zaxbat
post Jun 18 2018, 08:18 AM
Post#4



Posts: 1,184
Joined: 26-January 06
From: .....the wiregrass (either you know or you don't)


So sorry, I have not actually worked with this area of VBA. But it seems clear what they are doing. The .nativecode part has a compiled executable embedded which can be shelled out at runtime. It might be C, C#, C++ or some other type....presumably you could try to decompile it and find out more. But that probably violates some agreement you made when you elected to use it.
Go to the top of the page
 
JonSmith
post Jun 18 2018, 08:29 AM
Post#5


UtterAccess VIP
Posts: 4,053
Joined: 19-October 10



You misunderstand.
I don't care about exposing their code. I am interested in the methodology.
I want to know how I can do this myself, like I said, an example with a "Hello World" compiled executeable is fine.
Go to the top of the page
 
zaxbat
post Jun 18 2018, 08:33 AM
Post#6



Posts: 1,184
Joined: 26-January 06
From: .....the wiregrass (either you know or you don't)


You do not need to concentrate on the .nativecode part then. Instead you need to figure out how to create that class in your own code. Does the code you have show all of the source for that, and what type of object they create for it? You can create your own small hello world executable in any number of ways....then do a binary input of it into the .nativecode member.
Go to the top of the page
 
JonSmith
post Jun 18 2018, 08:40 AM
Post#7


UtterAccess VIP
Posts: 4,053
Joined: 19-October 10



Thats why I'm asking for help. Lets say I make my Hello World and get the embedded text from it. How would I then call that in VBA, especially since you say I won't be using .NativeCode?

QUOTE
Does the code you have show all of the source for that, and what type of object they create for it?

I'm am not sure what you are asking, but in addition to that nativecode part there is a bunch of information embedded in procs in another class. These are all weird though as hidden as procedure descriptions so you need to export to text to see them.
For example

CODE
Public Sub NATIVECODE0000_EVERYTHINGACCESS(): End Sub
Attribute NATIVECODE0000_EVERYTHINGACCESS.VB_Description = "%EEEE%::::RPZPPPh $$$j PPPPH+T$ t5AYAZkDTX 5v""z{L3TQ@M3LR@A)DR@Xf5@@fA)AUXI3DR@ZZZZZZ?!, @RY3LDl3TA@PY,VH)DJ@XXXXXXXXXX%EEEE%::::VSPPPPj PPPPPPPP4T)D$04P)D$,4'4 )D$($ PZ3D$@+D$ YQ3H +L$ XP3Q +T$0XPf55nf)BUR[YQ^VXP2Cf<0tF1D$$kD$$@!L$$2Cg1D$$kD$$@!L$$2Ch1D$$kD$$@!L$$2Ci+\\$,3Bf1Bf1rf3rf+T$(  XXXXXXXXXXXXX[^AABhWQBh]MDkGaC sQW sQVlcAB<cA@IrIeYMyD=oLflnNv N^QkNzYjqJYkR?NKhwIghwqG?oUGOlZSchLZNlZS hLZOlZS hLXaWn[CfOfZL>cKUmdtjDptjGO[nPptjG;uUdxm;EDtSRCKlmyRLmaKDzfu;E\\m[GDtsPCKLoy;<nIzw_Lzw_LUsIGR<kDqMRypVb<pVf<eNJ<GXQ@Z]GDeby>JfoAebyJcm[IRSRuRXcpRXcp=\\t;=UuFbEuFs]Y]fEwaDSm]mW;YRiDc=mS\\RiEWS EjL Ej]<ZO]<Xs>LXs^wivAgJNQ?fPW?plW?pmyzffXrC@fNRUYqmj;J\\o[qmjDqNRUmQpUmSLw]SLWfbIHqaqYiMo=i[S=i[SRlMXsd"


There are 129 of these
Go to the top of the page
 
zaxbat
post Jun 18 2018, 09:00 AM
Post#8



Posts: 1,184
Joined: 26-January 06
From: .....the wiregrass (either you know or you don't)


I imagine that they created/defined their own class/structure/object and that .nativecode is simply a member in that class. So you can use that class as well if you have access to its definition. The same way you create a DAO.recordset object like this....DIM rs as DAO.Recordset you can create one of these .com objects and then stuff your Hello World program into it. Should work very similarly. Did you have to go into VBA tools and add a new reference before you could use their routines? If not, then everything you need should be right in front of you in the source. Figuring out how to utilize it might be quite simple or might be very complicated. Depends on how they designed it. Additionally, could be that all of those empty sub routines are unused call-out stubs......or they could simply appear empty now but are actually stuffed with executable code at runtime.
This post has been edited by zaxbat: Jun 18 2018, 09:04 AM
Go to the top of the page
 
JonSmith
post Jun 18 2018, 09:13 AM
Post#9


UtterAccess VIP
Posts: 4,053
Joined: 19-October 10



QUOTE
Did you have to go into VBA tools and add a new reference before you could use their routines?


No, thats what I am saying. There are zero references, there are no .dll's installed on the machine, there are no executeables run.
Its all in VBA, thats why I'm not following what you are saying. The nativecode bit has to be the thing that kicks it all of. Thats where the exposed code is right?
Go to the top of the page
 
zaxbat
post Jun 18 2018, 09:19 AM
Post#10



Posts: 1,184
Joined: 26-January 06
From: .....the wiregrass (either you know or you don't)


the initial routine should be apparent then....and you should see it call into other routines. Sounds pretty slick. Problem is, you don't know how they have set up the interaction if it is all in the .nativecode parts.
Go to the top of the page
 
JonSmith
post Jun 18 2018, 09:21 AM
Post#11


UtterAccess VIP
Posts: 4,053
Joined: 19-October 10



What I posted is the inital routine.
I'm asking how it works. How would I do this with an "Hello World".
Go to the top of the page
 
zaxbat
post Jun 18 2018, 10:01 AM
Post#12



Posts: 1,184
Joined: 26-January 06
From: .....the wiregrass (either you know or you don't)


Trying to pick apart how they make their watchdog work is probably not the easiest way to put a hello world executable into your app. You might want to read up on powershell operations.
Go to the top of the page
 
PhilS
post Jun 18 2018, 10:45 AM
Post#13



Posts: 615
Joined: 26-May 15
From: The middle of Germany


Yes, vbWatchdog is pretty amazing stuff. And this applies to its internal workings regarding the call stack as well as to the integration as virtual COM object into VBA.

Wayne has roughly described the implementation of the Virtual COM technique in context with his Mouse Scroll Wheel Hook.

I've experimented a bit myself with the raw COM API in VBA, but I'm afraid that is as good as it gets regarding any information specifically for VBA. If you want to replicate the stuff Wayne did, you need to dig deep into COM and DLL loading.


Go to the top of the page
 
JonSmith
post Jun 18 2018, 11:15 AM
Post#14


UtterAccess VIP
Posts: 4,053
Joined: 19-October 10



Zax, I am not trying to pick apart their watchdog. I care about the method of building a COM object in VBA. This is the only example I have of it, I'm asking for insight or other examples.
So. To clarify, I am amazed at the methodology of building a COM object in VBA and that is an example. I want to recreate the bare bones of this so it just does a Hello World thing, this is as a teaching exercise to myself to get the basics working before moving up to bigger stuff. I don't want to pick apart the vbWatchdogs COM code, just how they launch the COM from VBA.
What do you mean look up Powershell operations? I can code in Powershell but don't see how this is related. A link would be great.


PhilS, I think you get what I am after. Those links look very promising, I remember the MouseHook thing having to use a .dll and one that didn't. If thats the same sort of thing as this it could be a great way to figure this out!
My workday has finished here so I can dive into these properly later.
Thank you!!

If anyone else still have thoughts please share them!
Go to the top of the page
 
jleach
post Jun 18 2018, 02:57 PM
Post#15


UtterAccess Editor
Posts: 10,087
Joined: 7-December 09
From: St Augustine, FL


I'll agree with Phil here... Wayne's method of doing this is unlike anything anyone else has done with VBA before, and requires a deep understanding of COM technology (which is not a walk in the part by any means... .NET was written mainly because COM is so friggin complicated - OTOH, we'd have a lot less mediocre programmers if they didn't make it so easy with .NET, I guess).

Therefore, if you want to be able to learn and use this methodology, you should first take on a deep study of COM programming.

From there, what he does is essentially store the definitions of objects as strings (gibberish) within the VBA modules, then uses some low-level Windows APIs to push the "compiled" (for lack of better word) content of those strings (which "compile" to a COM object) into a memory buffer which the loading project reads as a COM object.

The actual VBA portion of this and loading the "object" into an address space is the easy part: understanding how to structure that "object" so the loading assembly reads it as a valid COM object is the hard part (and thus why a strong knowledge of COM programming is required).

With all that said, I should note that COM programming as a major platform has been gradually falling off the wayside for many years now... the only things that use it anymore are those that are more or less grandfathered into it (like Office...)

(FWIW, Phil has a better handle on this stuff than I do... BananaRepublic is good with it as well, but other than that Wayne would be the only person I could think to ask for further direction)

Cheers,
Go to the top of the page
 
jleach
post Jun 18 2018, 03:03 PM
Post#16


UtterAccess Editor
Posts: 10,087
Joined: 7-December 09
From: St Augustine, FL


I don't have the book on my self here (we're packing to relocate and all my books are in boxes cryhard.gif ), but take a look for a copy of Hardcore Visual Basic 5.0 by a guy named Bruce McKinney (I think... Bruce something anyway).

It's obviously dated, but when he says hardcore, he means it. It taps into really twisting around VB and COM integrations quite a bit and digs (very) deeply into the internals of VB as a language. Most of it is way over my head - don't get to say that often smile.gif

Most of it is applicable to VBA (which is essentially a stripped down version of VB6).
Go to the top of the page
 
jleach
post Jun 18 2018, 03:17 PM
Post#17


UtterAccess Editor
Posts: 10,087
Joined: 7-December 09
From: St Augustine, FL


It might also be worth noting that this is in no way any sort of standard practice. Myself (as amazing as it is and as skilled a programmer as Wayne is), I file under some of the biggest hacks ever, albeit a very solid one.
Go to the top of the page
 
JonSmith
post Jun 19 2018, 02:24 AM
Post#18


UtterAccess VIP
Posts: 4,053
Joined: 19-October 10



Jack, that is some awesome insight! Thank you so much. What you describe as the gibberish strings was pretty much what I had guessed was happening so at least I was on the right track.
Thanks so much for the references. I am not so much of a book person when it comes to programming, I've always just dived head first into code (never actually read a programming book).
At least I know a few names I can look to if I manage to progress on this. Depending on quite how difficult it is it might be worth the effort of learning some of this.

JS
Go to the top of the page
 
JonSmith
post Jun 19 2018, 02:46 AM
Post#19


UtterAccess VIP
Posts: 4,053
Joined: 19-October 10



Also PhilS, I just read the Mousehook stuff and looked at the code. Its exactly what I wanted. I used that mousehook thing for years before we upgraded to Access 2010 but this stuff would have been incomprehensible to me back then so I didn't realise what it did. I cannot pretend to properly grasp it now either but I can at least follow along.

JS
Go to the top of the page
 
JonSmith
post Jun 19 2018, 07:11 AM
Post#20


UtterAccess VIP
Posts: 4,053
Joined: 19-October 10



To be fair what I am thinking might be some sort of pipe dream anyway. I was assuming that Wayne was able to access the callstack etc in some .net programming language and was manipulating it that way, further to that I thought you could do more to 'catch' VBA events.
It seems he may have actually just hacked the memory to read the callstack directly which whilst impressive wouldn't fit in with my thoughts.

In a nutshell its related to logging all actions that occur in a tool as some sort of super detailed audit trail, it would record every click and every event fire. I was hoping I could get a log of these events in a similar way to Wayne found the callstack.
My current method involves logging at the start and end of every event manually which is, in a word, a pain.

I'll try to find contact details for him and pick his brain and see what he thinks is possible.
Go to the top of the page
 
2 Pages V  1 2 >


Custom Search


RSSSearch   Top   Lo-Fi    17th September 2019 - 04:18 AM